#!/usr/bin/env python3 """Guard IwoooS public frontend text against host/topology leakage. This guard is intentionally static and read-only. It does not connect to any runtime host or API; it only prevents public IwoooS copy from exposing internal host aliases, LAN endpoints, or working-lane identifiers as product text. """ from __future__ import annotations import argparse from pathlib import Path PUBLIC_FILES = [ Path("apps/web/messages/zh-TW.json"), Path("apps/web/messages/en.json"), Path("apps/web/src/app/[locale]/iwooos/page.tsx"), ] FORBIDDEN_FRAGMENTS = [ "host:", "Kali host", "Kali 112", "kali_112", "internal110", "security_compliance_s2_110", "127.0.0.1", "192.168.", "raw Wazuh payload", "source_thread_id", "批准!繼續", "P2-110", "P2-112", ] def validate(root: Path) -> None: violations: list[str] = [] for relative_path in PUBLIC_FILES: path = root / relative_path text = path.read_text(encoding="utf-8") for line_number, line in enumerate(text.splitlines(), start=1): for fragment in FORBIDDEN_FRAGMENTS: if fragment in line: violations.append(f"{relative_path}:{line_number}: forbidden {fragment!r}") if violations: formatted = "\n".join(violations[:20]) raise SystemExit(f"BLOCKED iwooos_frontend_display_redaction:\n{formatted}") def main() -> int: parser = argparse.ArgumentParser(description="Validate IwoooS public frontend display redaction.") parser.add_argument("--root", default=".") args = parser.parse_args() validate(Path(args.root).resolve()) print("IWOOOS_FRONTEND_DISPLAY_REDACTION_GUARD_OK") return 0 if __name__ == "__main__": raise SystemExit(main())